Notes from Bruce Schneier's keynote at EPIC's "Stripping of Freedom" conference
Jan 6, 2011, 12:02 pm
#1
Original Poster
Join Date: Nov 2010
Location: Seattle, San Francisco, Cyberspace
Posts: 62
Notes from Bruce Schneier's keynote at EPIC's "Stripping of Freedom" conference
(I missed just a bit at the beginning, sorry about that ...)
Full-body scanners can't detect PETN. Dogs can, swabs can. The TSAs hope is that the scanners can detect the bulge. Once you know that, the ways to get around it are pretty easy. PETN is stable, you can roll it in various ways, make a shirt out of it, put it in your mouth -- go in and out 10 times, 20 times. None of this is new, surprising, or a secret. When the IATA talks about the machines not being effective, these are the techniques they're thinking about. When Israel doesn't deploy the machines that's why. But PETN is hard to explode -- shoe bomber and underwear bomber didn't make it work.
In November, Obama said he was told that the machines were effective against the kind of threat we say int he Christmas Day bombing. Exactly wrong way -- lousy threat modeling. Very strong backwards bias. Focuses on what happened last time. Focused on the tactic, not where the tactic was in time: bomber chose this tactic because the machines weren't in place. the nxt attack will be different. Terrorists are adaptive; they choose their tactics based on what defenses are in place.
There are two kinds of terrorists. Amateurs, like the guy who flew his plane into the Austin federal building -- wake up one day, decide to do something nasty. Professionals, like 9/11: well-planned, well-funded. Much rarer. Pretty much any security will stop the first kind; no airport security will stop the second kind. Airport security is the last line of defense, and not a good one.
What works?
Intelligence and investigation. Any attack has a series of events: recruiting, funding, training. Focusing on the general risk, and not specific poloist, is much more effective. We're at our worst when we have to guess the plot correctly. Individual risks are rare, so the way to defend against them: find the commonality
Building bridges with communities, weakening their communications, arresting them without fanfare, treating terrorists as criminals rather than enemy combatants.
The most effective airport security doesn't happen in the airports. the London liquid bombers, the Yemeni printer cartridges -- this is what failed in the Christmas bomber. It doesn't require guessing the plot, tactic, target. Defending tactics and targets only works if there's a small fixed set of tactics and targets. If there are hundreds of tactics, millions of targets, then all you do is force a change in plans. Scanners in LGA? they go to Islip. Defend airports completely? They go to shopping centers.
That being said, airports and airplanes deserve special attention. They're a favorite terrorist target, unique failure characteristics (plane crashes and everybody dies), airlines are national symbols (BA, Air France, JAL), and airplanes fly to foreign countries where terrorists are.
What works at the airport? Pre-9/11 security: detecting obvious guns and bombs. Works against amateurs, and some professionals. Because we screen for the obvious stuff, the underwear bomber had to build something inefficient -- instead of a fuse or a time, he had to resort to liquids, syringe, 20 minutes in the bathroom, setting pants on fire … didn't work, passengers subdued him. That's a security success.
Napolitano was on camera saying "the system worked". She was unfairly vilified -- terrorist in custody, plane landed safely, that's what you want.
There are lots of stories about screeners missing guns and bombs. Big media fanfare. These stories don't bother me. You're never going to get 100% security -- we can't even keep guns out of prison, how will we keep 'em out of airport? More importantly, the effects of getting caught are severe. If you've got a gun, they'll call the FBI; at least ruin your day. So even if it's not perfect, you can't build a plot around getting a gun through: effects to severe if you're caught.
Compare with a plot built around liquids. Cost of failure is 0: TSA says "throw the liquid in the trash," that's it. So you can try again. So we need some rationality. Either they're dangerous, in which case call the FBI; or they're not. It's how you know it's a charade, the TSA agents put the liquids in a trash two feet away, trash guy holds it away at the end of the day.
Canine screening works for baggage. Logistical challenges
Behaviorlal profiling works. hard to do right, easy to get wrong. Not racial, gender, attire-based.
Also need to close the non-passenger security holes: airline employees, other airport employees, vehicles … much less scrutiny. Civil aviation, lots of holes there.
Two things have made us safer since 9/11: reinforcing cockpit door, and passengers fighting back. Worked with Christmas bomber, just saw an article today about a Turkish airliner where the passengers overwhelmed the potential terrorist.
And most importantly, need not to be terrorized. Security based on fear doesn't work. Focuses on the specifics of what happened rather than the broad threat. We have the need to rewrite history -- makes us look backward instead of forward. "Something must be done. And this is something. So we must do it." that's kind of the logic we use, because we're scared. And we focus on the severity of the even, while annoying the probability. We don't think about whether the risk is comparable to our fear.
In the past decade, 465 passengers killed on planes, more than half since 9/11. Longest streak without fatal incidencts in years. 2000s was comparable to the 1960s, safer than the 1970s and 1980s. 2001 was the fourth worst year -- after 1985 and a few other years. More people are traveling now. In the US, 4 incidents this decade: 1 in 10 million+ departures. That's the mathematics. the risk is very rare, but not zero.
We can never stop a crazed loner like the Ft. Hood shooter. All security can do is get them shooting outside the security gates. When rare events occur, it's not always evidence of a systemic failure.
There's a counter-story I think we should all adopt, one of idominitability. refuse to be terrorized. Don't overreact, don't become defensive. there's a risk to being in a free society, our founders embrace it, we should too. Stop telling people to report suspicious activity -- they already do. When you prime them to report suspicious they wind up reporting "they dress funny, their food is strange" -- different, not suspicious. Relying on the gov't to solve all our problems doesn't work, against terrorism or national disasters or anything.
terrorism is rare. Even after 9/11, the most dangerous part of your trip is the taxi ride to the airport. More people die in cars each month than died on 9/11. You watch movies and TVs and you think terrorism is easy; it's not. It's hard, and easy to make mistakes. 9/11 just barely worked. There were systemic problems, and we also got really unlucky. Making public policy based on a rare event doesn't make sense.
Terrorism isn't a existential threat. they can't destroy our society, our way of life; it's only our reactions. When we engage in fear-mongering, we're doing the terrorists work. When we're scared, the terrorists succeed even if their plot fails. When we're indomitable, they fail even if their plot succeeds.
Q: thoughts about SecureFlight?
A: in general, I'm skeptical about separating into two categories. As soon as you do that, terrorists try to infiltrate the more-secure group. So I'm generally against it. Although Ed Luttwack gave some good arguments in favor of it. Similarly with arguments about screening pilots -- we're screening people in pilot uniforms. In many case, it's better to screen uniformly or randomly rather than putting people in categories and worrying whether we've got people in the right category.
Q: what about politics of terrorism? bureaucrats run the systems, and politicians seem to react backwrds-looking. is there a way to change the dynamics?
A: when people are scared, they want to be less scared. "I will do this thing that will make you less scared" as opposed to leading and making a Churchill-like speech: "we must be stronger than this". The political reaction is to overreact. The talk I just gave couldn't be made by a politician. If there aren't any attacks, politicians who do something can take credit for it -- Rumsfeld saying "no attacks since 9/11". Leading is hard, leading is dangerous. There's also the politicos from inistitutionality. Once the TSA is in place, they need to protect their careers. If they don't protect against past threats, and somebody does it, they look stupid. They banned printer cartridges … if the next attack is cereal boxes, they'll say "oh we couldn't have known that." It's politicians as followers, not politicians as leaders. Imagine the speech Bush could have given after 9/11
Q (from Ralph Nader): on the subject of over-regulating people, and under-regulating corporations. During the 60s/70s hijacks to Cuba, some of us -- incuding aviation security specialists -- demanded the FAA require strengthening cockpit doors. in the 70s, 80s, 90s. the airlines refused to do this, because it cost $3K/plane. the result was 9/11 -- they were able to take over the planes. in the 9/11 report, the authors chose not to focus on this issue. a simple regulatory change could have prevented it. and yet no discussion. why?
A: airline resisted all security changes, except for ID check -- which helped them cut down reselling tickets. airlines don't want to spend the money, because terrorists incidents affect air travel in general, not a particular airline -- no competitive benefit. it was a cheap and obvious solution, but the airlines fought it.
Full-body scanners can't detect PETN. Dogs can, swabs can. The TSAs hope is that the scanners can detect the bulge. Once you know that, the ways to get around it are pretty easy. PETN is stable, you can roll it in various ways, make a shirt out of it, put it in your mouth -- go in and out 10 times, 20 times. None of this is new, surprising, or a secret. When the IATA talks about the machines not being effective, these are the techniques they're thinking about. When Israel doesn't deploy the machines that's why. But PETN is hard to explode -- shoe bomber and underwear bomber didn't make it work.
In November, Obama said he was told that the machines were effective against the kind of threat we say int he Christmas Day bombing. Exactly wrong way -- lousy threat modeling. Very strong backwards bias. Focuses on what happened last time. Focused on the tactic, not where the tactic was in time: bomber chose this tactic because the machines weren't in place. the nxt attack will be different. Terrorists are adaptive; they choose their tactics based on what defenses are in place.
There are two kinds of terrorists. Amateurs, like the guy who flew his plane into the Austin federal building -- wake up one day, decide to do something nasty. Professionals, like 9/11: well-planned, well-funded. Much rarer. Pretty much any security will stop the first kind; no airport security will stop the second kind. Airport security is the last line of defense, and not a good one.
What works?
Intelligence and investigation. Any attack has a series of events: recruiting, funding, training. Focusing on the general risk, and not specific poloist, is much more effective. We're at our worst when we have to guess the plot correctly. Individual risks are rare, so the way to defend against them: find the commonality
Building bridges with communities, weakening their communications, arresting them without fanfare, treating terrorists as criminals rather than enemy combatants.
The most effective airport security doesn't happen in the airports. the London liquid bombers, the Yemeni printer cartridges -- this is what failed in the Christmas bomber. It doesn't require guessing the plot, tactic, target. Defending tactics and targets only works if there's a small fixed set of tactics and targets. If there are hundreds of tactics, millions of targets, then all you do is force a change in plans. Scanners in LGA? they go to Islip. Defend airports completely? They go to shopping centers.
That being said, airports and airplanes deserve special attention. They're a favorite terrorist target, unique failure characteristics (plane crashes and everybody dies), airlines are national symbols (BA, Air France, JAL), and airplanes fly to foreign countries where terrorists are.
What works at the airport? Pre-9/11 security: detecting obvious guns and bombs. Works against amateurs, and some professionals. Because we screen for the obvious stuff, the underwear bomber had to build something inefficient -- instead of a fuse or a time, he had to resort to liquids, syringe, 20 minutes in the bathroom, setting pants on fire … didn't work, passengers subdued him. That's a security success.
Napolitano was on camera saying "the system worked". She was unfairly vilified -- terrorist in custody, plane landed safely, that's what you want.
There are lots of stories about screeners missing guns and bombs. Big media fanfare. These stories don't bother me. You're never going to get 100% security -- we can't even keep guns out of prison, how will we keep 'em out of airport? More importantly, the effects of getting caught are severe. If you've got a gun, they'll call the FBI; at least ruin your day. So even if it's not perfect, you can't build a plot around getting a gun through: effects to severe if you're caught.
Compare with a plot built around liquids. Cost of failure is 0: TSA says "throw the liquid in the trash," that's it. So you can try again. So we need some rationality. Either they're dangerous, in which case call the FBI; or they're not. It's how you know it's a charade, the TSA agents put the liquids in a trash two feet away, trash guy holds it away at the end of the day.
Canine screening works for baggage. Logistical challenges
Behaviorlal profiling works. hard to do right, easy to get wrong. Not racial, gender, attire-based.
Also need to close the non-passenger security holes: airline employees, other airport employees, vehicles … much less scrutiny. Civil aviation, lots of holes there.
Two things have made us safer since 9/11: reinforcing cockpit door, and passengers fighting back. Worked with Christmas bomber, just saw an article today about a Turkish airliner where the passengers overwhelmed the potential terrorist.
And most importantly, need not to be terrorized. Security based on fear doesn't work. Focuses on the specifics of what happened rather than the broad threat. We have the need to rewrite history -- makes us look backward instead of forward. "Something must be done. And this is something. So we must do it." that's kind of the logic we use, because we're scared. And we focus on the severity of the even, while annoying the probability. We don't think about whether the risk is comparable to our fear.
In the past decade, 465 passengers killed on planes, more than half since 9/11. Longest streak without fatal incidencts in years. 2000s was comparable to the 1960s, safer than the 1970s and 1980s. 2001 was the fourth worst year -- after 1985 and a few other years. More people are traveling now. In the US, 4 incidents this decade: 1 in 10 million+ departures. That's the mathematics. the risk is very rare, but not zero.
We can never stop a crazed loner like the Ft. Hood shooter. All security can do is get them shooting outside the security gates. When rare events occur, it's not always evidence of a systemic failure.
There's a counter-story I think we should all adopt, one of idominitability. refuse to be terrorized. Don't overreact, don't become defensive. there's a risk to being in a free society, our founders embrace it, we should too. Stop telling people to report suspicious activity -- they already do. When you prime them to report suspicious they wind up reporting "they dress funny, their food is strange" -- different, not suspicious. Relying on the gov't to solve all our problems doesn't work, against terrorism or national disasters or anything.
terrorism is rare. Even after 9/11, the most dangerous part of your trip is the taxi ride to the airport. More people die in cars each month than died on 9/11. You watch movies and TVs and you think terrorism is easy; it's not. It's hard, and easy to make mistakes. 9/11 just barely worked. There were systemic problems, and we also got really unlucky. Making public policy based on a rare event doesn't make sense.
Terrorism isn't a existential threat. they can't destroy our society, our way of life; it's only our reactions. When we engage in fear-mongering, we're doing the terrorists work. When we're scared, the terrorists succeed even if their plot fails. When we're indomitable, they fail even if their plot succeeds.
Q: thoughts about SecureFlight?
A: in general, I'm skeptical about separating into two categories. As soon as you do that, terrorists try to infiltrate the more-secure group. So I'm generally against it. Although Ed Luttwack gave some good arguments in favor of it. Similarly with arguments about screening pilots -- we're screening people in pilot uniforms. In many case, it's better to screen uniformly or randomly rather than putting people in categories and worrying whether we've got people in the right category.
Q: what about politics of terrorism? bureaucrats run the systems, and politicians seem to react backwrds-looking. is there a way to change the dynamics?
A: when people are scared, they want to be less scared. "I will do this thing that will make you less scared" as opposed to leading and making a Churchill-like speech: "we must be stronger than this". The political reaction is to overreact. The talk I just gave couldn't be made by a politician. If there aren't any attacks, politicians who do something can take credit for it -- Rumsfeld saying "no attacks since 9/11". Leading is hard, leading is dangerous. There's also the politicos from inistitutionality. Once the TSA is in place, they need to protect their careers. If they don't protect against past threats, and somebody does it, they look stupid. They banned printer cartridges … if the next attack is cereal boxes, they'll say "oh we couldn't have known that." It's politicians as followers, not politicians as leaders. Imagine the speech Bush could have given after 9/11
Q (from Ralph Nader): on the subject of over-regulating people, and under-regulating corporations. During the 60s/70s hijacks to Cuba, some of us -- incuding aviation security specialists -- demanded the FAA require strengthening cockpit doors. in the 70s, 80s, 90s. the airlines refused to do this, because it cost $3K/plane. the result was 9/11 -- they were able to take over the planes. in the 9/11 report, the authors chose not to focus on this issue. a simple regulatory change could have prevented it. and yet no discussion. why?
A: airline resisted all security changes, except for ID check -- which helped them cut down reselling tickets. airlines don't want to spend the money, because terrorists incidents affect air travel in general, not a particular airline -- no competitive benefit. it was a cheap and obvious solution, but the airlines fought it.
Jan 6, 2011, 12:20 pm
#2
Join Date: Feb 2006
Location: DTW
Programs: DL 0.22 MM, AA 0.34 MM, PC Plat Amb, Hertz #1 GC 5*
Posts: 7,511
There's a counter-story I think we should all adopt, one of idominitability. refuse to be terrorized. Don't overreact, don't become defensive. there's a risk to being in a free society, our founders embrace it, we should too. Stop telling people to report suspicious activity -- they already do. When you prime them to report suspicious they wind up reporting "they dress funny, their food is strange" -- different, not suspicious. Relying on the gov't to solve all our problems doesn't work, against terrorism or national disasters or anything.
Jan 6, 2011, 12:43 pm
#3
FlyerTalk Evangelist
Join Date: Oct 2004
Posts: 10,037
The detail Schneier provides here jogs my memory to a TSAer who posted something here over a year ago. Here is that post:
You can click the blue button for the thread.
Well Bart, get ready to respect Bruce Schiener a little more; here are your solutions.
I think DHS/TSA knows all of this. But few of these things fit into the power and political grab that the TSA thirsts for on a regular basis. Hence, few of these things are employed.
Not to mention, few of these things would be actually seen by the general public. The TSA feels the need to be very public about what it does, hence the shameless PR about catching morons with drugs at checkpoints. Hence, "Security Theater."
Can't agree any more with Schneier's point about existential threats. The folks at TSA HQ have been doing a superb job at showing how the terrorists have won.
At this point, I would have more respect for Schneier if he would come up with a better mouse trap. Instead, he makes his money by pointing out flaws and criticizing the current system. He offers no alternatives other than big pie in the sky comments.
Does he really want us to be like the Israelis? Does he really want us to be like the French?
I have to hand it to Bruce, he's certainly made a lot of money out of his little theater of pointing fingers at what he calls security theater.
Does he really want us to be like the Israelis? Does he really want us to be like the French?
I have to hand it to Bruce, he's certainly made a lot of money out of his little theater of pointing fingers at what he calls security theater.
Well Bart, get ready to respect Bruce Schiener a little more; here are your solutions.
What works?
Intelligence and investigation. Any attack has a series of events: recruiting, funding, training. Focusing on the general risk, and not specific poloist, is much more effective. We're at our worst when we have to guess the plot correctly. Individual risks are rare, so the way to defend against them: find the commonality
Building bridges with communities, weakening their communications, arresting them without fanfare, treating terrorists as criminals rather than enemy combatants.
The most effective airport security doesn't happen in the airports. the London liquid bombers, the Yemeni printer cartridges -- this is what failed in the Christmas bomber. It doesn't require guessing the plot, tactic, target. Defending tactics and targets only works if there's a small fixed set of tactics and targets. If there are hundreds of tactics, millions of targets, then all you do is force a change in plans. Scanners in LGA? they go to Islip. Defend airports completely? They go to shopping centers.
That being said, airports and airplanes deserve special attention. They're a favorite terrorist target, unique failure characteristics (plane crashes and everybody dies), airlines are national symbols (BA, Air France, JAL), and airplanes fly to foreign countries where terrorists are.
What works at the airport? Pre-9/11 security: detecting obvious guns and bombs. Works against amateurs, and some professionals. Because we screen for the obvious stuff, the underwear bomber had to build something inefficient -- instead of a fuse or a time, he had to resort to liquids, syringe, 20 minutes in the bathroom, setting pants on fire … didn't work, passengers subdued him. That's a security success.
Napolitano was on camera saying "the system worked". She was unfairly vilified -- terrorist in custody, plane landed safely, that's what you want.
There are lots of stories about screeners missing guns and bombs. Big media fanfare. These stories don't bother me. You're never going to get 100% security -- we can't even keep guns out of prison, how will we keep 'em out of airport? More importantly, the effects of getting caught are severe. If you've got a gun, they'll call the FBI; at least ruin your day. So even if it's not perfect, you can't build a plot around getting a gun through: effects to severe if you're caught.
Compare with a plot built around liquids. Cost of failure is 0: TSA says "throw the liquid in the trash," that's it. So you can try again. So we need some rationality. Either they're dangerous, in which case call the FBI; or they're not. It's how you know it's a charade, the TSA agents put the liquids in a trash two feet away, trash guy holds it away at the end of the day.
Canine screening works for baggage. Logistical challenges
Behaviorlal profiling works. hard to do right, easy to get wrong. Not racial, gender, attire-based.
Also need to close the non-passenger security holes: airline employees, other airport employees, vehicles … much less scrutiny. Civil aviation, lots of holes there.
Two things have made us safer since 9/11: reinforcing cockpit door, and passengers fighting back. Worked with Christmas bomber, just saw an article today about a Turkish airliner where the passengers overwhelmed the potential terrorist.
And most importantly, need not to be terrorized. Security based on fear doesn't work. Focuses on the specifics of what happened rather than the broad threat. We have the need to rewrite history -- makes us look backward instead of forward. "Something must be done. And this is something. So we must do it." that's kind of the logic we use, because we're scared. And we focus on the severity of the even, while annoying the probability. We don't think about whether the risk is comparable to our fear.
In the past decade, 465 passengers killed on planes, more than half since 9/11. Longest streak without fatal incidencts in years. 2000s was comparable to the 1960s, safer than the 1970s and 1980s. 2001 was the fourth worst year -- after 1985 and a few other years. More people are traveling now. In the US, 4 incidents this decade: 1 in 10 million+ departures. That's the mathematics. the risk is very rare, but not zero.
We can never stop a crazed loner like the Ft. Hood shooter. All security can do is get them shooting outside the security gates. When rare events occur, it's not always evidence of a systemic failure.
There's a counter-story I think we should all adopt, one of idominitability. refuse to be terrorized. Don't overreact, don't become defensive. there's a risk to being in a free society, our founders embrace it, we should too. Stop telling people to report suspicious activity -- they already do. When you prime them to report suspicious they wind up reporting "they dress funny, their food is strange" -- different, not suspicious. Relying on the gov't to solve all our problems doesn't work, against terrorism or national disasters or anything.
terrorism is rare. Even after 9/11, the most dangerous part of your trip is the taxi ride to the airport. More people die in cars each month than died on 9/11. You watch movies and TVs and you think terrorism is easy; it's not. It's hard, and easy to make mistakes. 9/11 just barely worked. There were systemic problems, and we also got really unlucky. Making public policy based on a rare event doesn't make sense.
Terrorism isn't a existential threat. they can't destroy our society, our way of life; it's only our reactions. When we engage in fear-mongering, we're doing the terrorists work. When we're scared, the terrorists succeed even if their plot fails. When we're indomitable, they fail even if their plot succeeds.
Intelligence and investigation. Any attack has a series of events: recruiting, funding, training. Focusing on the general risk, and not specific poloist, is much more effective. We're at our worst when we have to guess the plot correctly. Individual risks are rare, so the way to defend against them: find the commonality
Building bridges with communities, weakening their communications, arresting them without fanfare, treating terrorists as criminals rather than enemy combatants.
The most effective airport security doesn't happen in the airports. the London liquid bombers, the Yemeni printer cartridges -- this is what failed in the Christmas bomber. It doesn't require guessing the plot, tactic, target. Defending tactics and targets only works if there's a small fixed set of tactics and targets. If there are hundreds of tactics, millions of targets, then all you do is force a change in plans. Scanners in LGA? they go to Islip. Defend airports completely? They go to shopping centers.
That being said, airports and airplanes deserve special attention. They're a favorite terrorist target, unique failure characteristics (plane crashes and everybody dies), airlines are national symbols (BA, Air France, JAL), and airplanes fly to foreign countries where terrorists are.
What works at the airport? Pre-9/11 security: detecting obvious guns and bombs. Works against amateurs, and some professionals. Because we screen for the obvious stuff, the underwear bomber had to build something inefficient -- instead of a fuse or a time, he had to resort to liquids, syringe, 20 minutes in the bathroom, setting pants on fire … didn't work, passengers subdued him. That's a security success.
Napolitano was on camera saying "the system worked". She was unfairly vilified -- terrorist in custody, plane landed safely, that's what you want.
There are lots of stories about screeners missing guns and bombs. Big media fanfare. These stories don't bother me. You're never going to get 100% security -- we can't even keep guns out of prison, how will we keep 'em out of airport? More importantly, the effects of getting caught are severe. If you've got a gun, they'll call the FBI; at least ruin your day. So even if it's not perfect, you can't build a plot around getting a gun through: effects to severe if you're caught.
Compare with a plot built around liquids. Cost of failure is 0: TSA says "throw the liquid in the trash," that's it. So you can try again. So we need some rationality. Either they're dangerous, in which case call the FBI; or they're not. It's how you know it's a charade, the TSA agents put the liquids in a trash two feet away, trash guy holds it away at the end of the day.
Canine screening works for baggage. Logistical challenges
Behaviorlal profiling works. hard to do right, easy to get wrong. Not racial, gender, attire-based.
Also need to close the non-passenger security holes: airline employees, other airport employees, vehicles … much less scrutiny. Civil aviation, lots of holes there.
Two things have made us safer since 9/11: reinforcing cockpit door, and passengers fighting back. Worked with Christmas bomber, just saw an article today about a Turkish airliner where the passengers overwhelmed the potential terrorist.
And most importantly, need not to be terrorized. Security based on fear doesn't work. Focuses on the specifics of what happened rather than the broad threat. We have the need to rewrite history -- makes us look backward instead of forward. "Something must be done. And this is something. So we must do it." that's kind of the logic we use, because we're scared. And we focus on the severity of the even, while annoying the probability. We don't think about whether the risk is comparable to our fear.
In the past decade, 465 passengers killed on planes, more than half since 9/11. Longest streak without fatal incidencts in years. 2000s was comparable to the 1960s, safer than the 1970s and 1980s. 2001 was the fourth worst year -- after 1985 and a few other years. More people are traveling now. In the US, 4 incidents this decade: 1 in 10 million+ departures. That's the mathematics. the risk is very rare, but not zero.
We can never stop a crazed loner like the Ft. Hood shooter. All security can do is get them shooting outside the security gates. When rare events occur, it's not always evidence of a systemic failure.
There's a counter-story I think we should all adopt, one of idominitability. refuse to be terrorized. Don't overreact, don't become defensive. there's a risk to being in a free society, our founders embrace it, we should too. Stop telling people to report suspicious activity -- they already do. When you prime them to report suspicious they wind up reporting "they dress funny, their food is strange" -- different, not suspicious. Relying on the gov't to solve all our problems doesn't work, against terrorism or national disasters or anything.
terrorism is rare. Even after 9/11, the most dangerous part of your trip is the taxi ride to the airport. More people die in cars each month than died on 9/11. You watch movies and TVs and you think terrorism is easy; it's not. It's hard, and easy to make mistakes. 9/11 just barely worked. There were systemic problems, and we also got really unlucky. Making public policy based on a rare event doesn't make sense.
Terrorism isn't a existential threat. they can't destroy our society, our way of life; it's only our reactions. When we engage in fear-mongering, we're doing the terrorists work. When we're scared, the terrorists succeed even if their plot fails. When we're indomitable, they fail even if their plot succeeds.
Not to mention, few of these things would be actually seen by the general public. The TSA feels the need to be very public about what it does, hence the shameless PR about catching morons with drugs at checkpoints. Hence, "Security Theater."
Can't agree any more with Schneier's point about existential threats. The folks at TSA HQ have been doing a superb job at showing how the terrorists have won.
